DAHS Data Security Checklist

Info

This checklist, developed by the School of Medicine Information Security Office, is designed to be a high level list of items that will help improve information security in your environment. The list is intended to be a baseline and is certainly not all-inclusive. Questions about particular items can be sent to security@med.unc.edu. This checklist is for DAHS researchers only – do not distribute to other departments. OIS will be developing an expanded version of this for the School of Medicine.

PC Desktops

All DAHS machines are all supposed to be on the AD domain – this is a network setting that OIS should have come out and done in 2011 and 2012. If you are on the AD domain, #’s 1, 2 and #5 below are already taken care of. If you are not sure if you are on the AD domain, contact OIS.

Configured to automatically update Windows Security Patches

Most machines are configured this way. Ask OIS Tech Support if unsure.

Network storage is normally mapped as a higher letter, such as the J drive. If unsure whether you have been assigned network storage, ask OIS Tech Support.

If you need to sign up for network storage, contact OIS for details.

Iron Mountain backup installed for important local machines. This can be helpful if you store information on your local machine – note item #7 above about sensitive information. See Iron Mountain details here: http://help.unc.edu/5662

PC Laptops:

Encrypted with PGP Whole Disk Encryption – all laptops used in human subject research are required to be encrypted.

Iron Mountain backup installed for important machines. This can be helpful if you store information on your local machine – note item #7 above about sensitive information. See Iron Mountain details here: http://help.unc.edu/5662

The campus email system has been approved for sending and storing sensitive information.

To send secure email to an address outside of the campus system, place the word Secure in parentheses at the beginning of the subject line. This will show you an example of your users will receive. Example Subject Line: (Secure) This is a sensitive message.

Before sending an actual secure message, we recommend that you send a test secure message to an outside account, such as your Gmail or Hotmail account to ensure that you are doing it correctly.

Secure mail sent to on campus addresses does not need (Secure) in the subject.

Recipients of secure messages cannot submit an encrypted reply to the message. So, users should not ask the recipient to reply to the message.

Never open email attachments unless you know both the sender AND that the person intended to send it to you (this is also true for Instant Messages, if you don't know the sender or the intended, do not click on any links in an Instant Message).

Server Management:

If you are the systems administrator for your own server (typically running Windows 2008, Linux, Unix, etc.) and if that server is storing sensitive information, then it must be registered in the campus System Administration Initiative (SAI). Requirements for SAI can be found here: http://help.unc.edu/CCM3_032197

Most people do not need to manage their own server. Centralized services are available to provide most services that were provided by local servers. Using centralized services is typically far more cost effective and secure than “building your own”. If you have questions about central services, send an email to help@med.unc.edu and somebody will meet with you to discuss your needs.

CAUTION: Protect the password. The help desk will not be able to recover the data if the password is lost.

Fax Machines:

Fax machines that typically receive sensitive faxes should not be located in unattended public spaces or unlocked office areas.

Fax machines should be checked regularly for any faxes that might have been received.

Faxes should be removed from the machine as soon as possible.

Fax servers should not be left logged in while unattended. Passwords to fax servers should not be posted on or near the machine.

Password Management:

We recommend using a password management tool to safely manage the many passwords that most people must maintain. Two that have been used include:

Keepass (www.keepass.info) – Free open source product with versions available for most platforms.

Roboform (www.roboform.com) – Commercial product. Free version will allow up to 10 passwords. Commercial version costs about $10 per year.

Cloud Storage and Cloud-based Applications:

Cloud applications such as gmail, Google Docs, Dropbox, Mozy, Carbonite, etc. are not approved for storage of sensitive information, unless a signed Business Associates Agreement (BAA), approved by University Counsel, is in place.

Most of these services have not or will not sign a BAA. Iron Mountain is currently the only one that has signed.

There are no written general policies that specify minimum physical security requirements for sensitive information. However, due diligence and common sense should prevail. Like information security, physical security should done in layers. Examples include:

Locked file cabinet

i. Who has access to the space?

ii. Are there emergency access procedures?

Locked office space

i. Do cleaning crews have unlimited access to the space?

Card swipe building access

Is the office off campus? Who else has access to the building?

Business Associate Agreements (BAA):

Before entering into any agreements with outside vendors or organizations to store, access, or process any of the University’s or Health Care System’s Protected Health Information, there must be a signed BAA in place which has been approved by the Office of University Counsel. Contact security@med.unc.edu for more information.